From nobody  Thu Jan  7 07:41:11 1999
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA29457;
          Thu, 7 Jan 1999 07:41:11 -0800 (PST)
          (envelope-from nobody)
Message-Id: <199901071541.HAA29457@hub.freebsd.org>
Date: Thu, 7 Jan 1999 07:41:11 -0800 (PST)
From: mtaylor@cybernet.com
To: freebsd-gnats-submit@freebsd.org
Subject: src/sys/dev/dpt/dpt_control.c can cause a panic on boot
X-Send-Pr-Version: www-1.0

>Number:         9367
>Category:       kern
>Synopsis:       src/sys/dev/dpt/dpt_control.c can cause a panic on boot
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan  7 07:50:00 PST 1999
>Closed-Date:    Tue May 11 03:58:07 PDT 1999
>Last-Modified:  Tue May 11 04:05:44 PDT 1999
>Originator:     Mark J. Taylor
>Release:        Affects all who use "dpt" driver
>Organization:
Cybernet Systems
>Environment:
2.2.7, 2.2.8, 3.0, etc.
>Description:
During probe, the page lockdown code in dpt_control.c does some
bad math: it does not handle page-boundary conditions, and will not
end up mapping all of the requested addresses.  This will cause a panic:
page fault during probe on some systems.

>How-To-Repeat:
I have a machine that will panic every time (when using the dpt driver)
on kernel probe when there are 5 drives installed.  When there are 4
drives, it is fine.
>Fix:
Always allocate/deallocate an extra page.
There is also a bonus splx() fix on an early error return.

src/sys/dev/dpt/dpt_control.c:
*** 125,128 ****
--- 125,129 ----


+       req_size += PAGE_SIZE;
        size = (req_size / PAGE_SIZE + 1) * PAGE_SIZE;
        paddr = req_paddr & 0xfffff000;
***************
*** 144,148 ****
  /*
   * Release virtual space allocated by physmap We ASSUME that the correct
!  * srart address and the correct LENGTH are given.
   *
   * Disaster will follow if these assumptions are false!
--- 145,149 ----
  /*
   * Release virtual space allocated by physmap We ASSUME that the correct
!  * start address and the correct LENGTH are given.
   *
   * Disaster will follow if these assumptions are false!
--- 145,149 ----
  /*
   * Release virtual space allocated by physmap We ASSUME that the correct
!  * start address and the correct LENGTH are given.
   *
   * Disaster will follow if these assumptions are false!
***************
*** 154,157 ****
--- 155,159 ----
        int             ndx;

+       size += PAGE_SIZE;
        for (ndx = 0; ndx < size; ndx += PAGE_SIZE) {
                pmap_kremove((vm_offset_t) vaddr + ndx);
***************
*** 260,263 ****
--- 262,266 ----
        if ((addr = (char *) dpt_physmap(0x0475, 1024)) == NULL) {
                printf("DPT:  Cannot map BIOS address 0x0475.  No sysinfo... :-(
\n");
+               splx(ospl);
                return;
        }

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: jkh 
State-Changed-When: Tue May 11 03:58:07 PDT 1999 
State-Changed-Why:  
Applied (modulo redoing the patch; please check to see how this diff output 
got so mangled).  Thanks! 
>Unformatted:
